CycloneDX
diff --git a/‎cyclonedx_py/_internal/environment.py‎
Lines changed: 6 additions & 7 deletions b/‎cyclonedx_py/_internal/environment.py‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎cyclonedx_py/_internal/py_interop/packagemetadata.py‎
Lines changed: 25 additions & 0 deletions b/‎cyclonedx_py/_internal/py_interop/packagemetadata.py‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎cyclonedx_py/_internal/utils/packaging.py‎
Lines changed: 30 additions & 23 deletions b/‎cyclonedx_py/_internal/utils/packaging.py‎
Lines changed: 30 additions & 23 deletions
diff --git a/‎cyclonedx_py/_internal/utils/pep639.py‎
Lines changed: 37 additions & 41 deletions b/‎cyclonedx_py/_internal/utils/pep639.py‎
Lines changed: 37 additions & 41 deletions
@@ -38,7 +38,7 @@
 from .utils.cdx import licenses_fixup, make_bom
 from .utils.packaging import metadata2extrefs, metadata2licenses, normalize_packagename
 from .utils.pep610 import PackageSourceArchive, PackageSourceVcs, packagesource2extref, packagesource4dist
-from .utils.pep639 import dist2licenses as pep639_dist2licenses
+from .utils.pep639 import dist2licenses_from_files as pep639_dist2licenses_from_files
 from .utils.pyproject import pyproject2component, pyproject2dependencies, pyproject_load
 
 if TYPE_CHECKING:  # pragma: no cover
@@ -184,13 +184,12 @@ def __add_components(self, bom: 'Bom',
 
             # region licenses
             lfac = LicenseFactory()
-            component.licenses.update(pep639_dist2licenses(dist, lfac, self._gather_license_texts, self._logger))
-            if len(component.licenses) == 0:
-                # According to PEP 639 spec, if licenses are declared in the "new" style,
-                # all other license declarations MUST be ignored.
-                # https://peps.python.org/pep-0639/#converting-legacy-metadata
-                component.licenses.update(metadata2licenses(dist_meta, lfac))
+            component.licenses.update(metadata2licenses(dist_meta, lfac,
+                                                        gather_texts=self._gather_license_texts))
+            if self._gather_license_texts:
+                component.licenses.update(pep639_dist2licenses_from_files(dist, lfac, logger=self._logger))
             licenses_fixup(component)
+            del lfac
             # endregion licenses
 
             del dist_meta, dist_name, dist_version
 
@@ -0,0 +1,25 @@
+# This file is part of CycloneDX Python
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+__all__ = ['PackageMetadata']
+
+import sys
+
+if sys.version_info >= (3, 10):
+    from importlib.metadata import PackageMetadata
+else:
+    from email.message import Message as PackageMetadata
@@ -24,39 +24,46 @@
 from cyclonedx.model.license import DisjunctiveLicense, LicenseAcknowledgement
 
 from .cdx import url_label_to_ert
-from .pep621 import classifiers2licenses
+from .pep621 import classifiers2licenses as pep621_classifiers2licenses
+from .pep639 import dist2licenses_from_files as pep639_dist2licenses_from_files
 
 if TYPE_CHECKING:  # pragma: no cover
     import sys
+    from logging import Logger
 
     from cyclonedx.factory.license import LicenseFactory
     from cyclonedx.model.license import License
 
-    if sys.version_info >= (3, 10):
-        from importlib.metadata import PackageMetadata
-    else:
-        from email.message import Message as PackageMetadata
+    from ..py_interop.packagemetadata import PackageMetadata
 
 
-def metadata2licenses(metadata: 'PackageMetadata', lfac: 'LicenseFactory') -> Generator['License', None, None]:
+def metadata2licenses(metadata: 'PackageMetadata', lfac: 'LicenseFactory',
+                      gather_texts: bool
+                      ) -> Generator['License', None, None]:
     lack = LicenseAcknowledgement.DECLARED
-    if 'Classifier' in metadata:
-        # see spec: https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use
-        classifiers: list[str] = metadata.get_all('Classifier')  # type:ignore[assignment]
-        yield from classifiers2licenses(classifiers, lfac, lack)
-    for mlicense in set(metadata.get_all('License', ())):
-        # see spec: https://packaging.python.org/en/latest/specifications/core-metadata/#license
-        if len(mlicense) <= 0:
-            continue
-        license = lfac.make_from_string(mlicense,
-                                        license_acknowledgement=lack)
-        if isinstance(license, DisjunctiveLicense) and license.id is None:
-            # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!)
-            yield DisjunctiveLicense(name=f"declared license of '{metadata['Name']}'",
-                                     acknowledgement=lack,
-                                     text=AttachedText(content=mlicense))
-        else:
-            yield license
+    if (lexp := metadata.get('License-Expression')) is not None:
+        # see spec: https://peps.python.org/pep-0639/#add-license-expression-field
+        yield lfac.make_from_string(lexp,
+                                    license_acknowledgement=lack)
+    else:  # per PEP630, if License-Expression exists, the deprecated declarations MUST be ignored
+        if 'Classifier' in metadata:
+            # see spec: https://packaging.python.org/en/latest/specifications/core-metadata/#classifier-multiple-use
+            classifiers: list[str] = metadata.get_all('Classifier')    # type:ignore[assignment]
+            yield from pep621_classifiers2licenses(classifiers, lfac, lack)
+        for mlicense in set(metadata.get_all('License', ())):
+            # see spec: https://packaging.python.org/en/latest/specifications/core-metadata/#license
+            if len(mlicense) <= 0:
+                continue
+            license = lfac.make_from_string(mlicense,
+                                            license_acknowledgement=lack)
+            if isinstance(license, DisjunctiveLicense) and license.id is None:
+                if gather_texts:
+                    # per spec, `License` is either a SPDX ID/Expression, or a license text(not name!)
+                    yield DisjunctiveLicense(name=f"declared license of '{metadata['Name']}'",
+                                             acknowledgement=lack,
+                                             text=AttachedText(content=mlicense))
+            else:
+                yield license
 
 
 def metadata2extrefs(metadata: 'PackageMetadata') -> Generator['ExternalReference', None, None]:
 
@@ -40,6 +40,8 @@
     from cyclonedx.factory.license import LicenseFactory
     from cyclonedx.model.license import License
 
+    from ..py_interop.packagemetadata import PackageMetadata
+
 
 def project2licenses(project: dict[str, Any], lfac: 'LicenseFactory',
                      gather_texts: bool, *,
@@ -72,50 +74,44 @@ def project2licenses(project: dict[str, Any], lfac: 'LicenseFactory',
 _LICENSE_LOCATIONS = ('licenses', 'license_files', '')
 
 
-def dist2licenses(
+def dist2licenses_from_files(
     dist: 'Distribution', lfac: 'LicenseFactory',
-    gather_texts: bool,
     logger: 'Logger'
 ) -> Generator['License', None, None]:
     lack = LicenseAcknowledgement.DECLARED
-    metadata = dist.metadata  # see https://packaging.python.org/en/latest/specifications/core-metadata/
-    if (lexp := metadata['License-Expression']) is not None:
-        # see spec: https://peps.python.org/pep-0639/#add-license-expression-field
-        yield lfac.make_from_string(lexp,
-                                    license_acknowledgement=lack)
-    if gather_texts:
-        for mlfile in set(metadata.get_all('License-File', ())):
-            # see spec: https://peps.python.org/pep-0639/#add-license-file-field
-            # latest spec rev: https://discuss.python.org/t/pep-639-round-3-improving-license-clarity-with-better-package-metadata/53020  # noqa: E501
-            content = None
-            for mlpath in _LICENSE_LOCATIONS:
+    metadata: 'PackageMetadata' = dist.metadata  # see https://packaging.python.org/en/latest/specifications/core-metadata/
+    for mlfile in set(metadata.get_all('License-File', ())):
+        # see spec: https://peps.python.org/pep-0639/#add-license-file-field
+        # latest spec rev: https://discuss.python.org/t/pep-639-round-3-improving-license-clarity-with-better-package-metadata/53020  # noqa: E501
+        content = None
+        for mlpath in _LICENSE_LOCATIONS:
+            try:
+                content = dist.read_text(join(mlpath, mlfile))
+            except UnicodeDecodeError as err:
                 try:
-                    content = dist.read_text(join(mlpath, mlfile))
-                except UnicodeDecodeError as err:
-                    try:
-                        content = bytes2str(err.object)
-                    except UnicodeDecodeError:
-                        pass
-                    else:
-                        break  # for-loop
+                    content = bytes2str(err.object)
+                except UnicodeDecodeError:
+                    pass
                 else:
-                    if content is not None:
-                        break  # for-loop
-            if content is None:  # pragma: no cover
-                logger.debug('Error: failed to read license file %r for dist %r',
-                             mlfile, metadata['Name'])
-                continue
-            encoding = None
-            content_type = guess_type(mlfile) or AttachedText.DEFAULT_CONTENT_TYPE
-            # per default, license files are human-readable texts.
-            if not content_type.startswith('text/'):
-                encoding = Encoding.BASE_64
-                content = b64encode(content.encode('utf-8')).decode('ascii')
-            yield DisjunctiveLicense(
-                name=f'declared license file: {mlfile}',
-                acknowledgement=lack,
-                text=AttachedText(
-                    content=content,
-                    encoding=encoding,
-                    content_type=content_type
-                ))
+                    break  # for-loop
+            else:
+                if content is not None:
+                    break  # for-loop
+        if content is None:  # pragma: no cover
+            logger.debug('Error: failed to read license file %r for dist %r',
+                         mlfile, metadata['Name'])
+            continue
+        encoding = None
+        content_type = guess_type(mlfile) or AttachedText.DEFAULT_CONTENT_TYPE
+        # per default, license files are human-readable texts.
+        if not content_type.startswith('text/'):
+            encoding = Encoding.BASE_64
+            content = b64encode(content.encode('utf-8')).decode('ascii')
+        yield DisjunctiveLicense(
+            name=f'declared license file: {mlfile}',
+            acknowledgement=lack,
+            text=AttachedText(
+                content=content,
+                encoding=encoding,
+                content_type=content_type
+            ))